Teleport Audit Events Integration

<div class="condensed-table">
| | |
| --- | --- |
| Version | 1.2.1 (View all) |
| Compatible Kibana version(s) | 8.14.0 or higher |
| Supported Serverless project types
What’s this? | Security
Observability |
| Subscription level
What’s this? | Basic |
| Level of support
What’s this? | Elastic |

</div>

Teleport provides connectivity, authentication, access controls, and audit for infrastructure.

This integration ingests audit events from Teleport. You can use it to perform historical analysis, detect unusual behavior, and form a better understanding of how users interact with your Teleport cluster.

Use this integration to collect and parse audit event logs from various events supported by Teleport. Then visualize that data in Kibana using the included dashboard, create alerts to notify you if something goes wrong, and reference logs when troubleshooting an issue.

For example, you can filter for failed authorization events and examine the graph of the number of these attempts by time, as well as such data points as the geographical location of clients and related user names.

The teleport integration collects the following logs:

• audit provides events from Teleport audit logs.

Elastic Agent must be installed. For more details and installation instructions, please refer to the Elastic Agent Installation Guide.

There are several options for installing and managing Elastic Agent:

With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier.

With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only.

You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, and we provide deployment manifests for running on Kubernetes.

Please note, there are minimum requirements for running Elastic Agent. For more information, refer to the Elastic Agent Minimum Requirements.

Check out the guide on configuring Teleport’s Event Handler plugin to make it send audit logs to the Elasticsearch instance.

See the Getting started guide for instructions on setting up the Elastic Stack.

1. In Kibana navigate to Management > Integrations.
2. In "Search for integrations" top bar, search for Teleport.
3. Select the "Teleport" integration from the search results.
4. Select "Add Teleport" to add the integration.
5. Add all the required integration configuration parameters, including Paths.
6. Select "Save and continue" to save the integration.

Logs help you keep a record of events happening in Teleport.

The audit data stream collects JSON documents from Teleport audit logs.

Event fields are mapped either into the Elastic Common Schema, its extensions, or into custom fields. The latter are grouped into logical categories, such as teleport.audit.session.*.

Each event is categorized into the four Elastic Common Schema categorizations fields: event.kind, event.category, event.type, and event.outcome.

{
    "@timestamp": "2019-04-22T19:39:26.676Z",
    "client": {
        "address": "67.43.156.11",
        "as": {
            "number": 35908
        },
        "geo": {
            "continent_name": "Asia",
            "country_iso_code": "BT",
            "country_name": "Bhutan",
            "location": {
                "lat": 27.5,
                "lon": 90.5
            }
        },
        "ip": "67.43.156.11",
        "port": 51454
    },
    "ecs": {
        "version": "8.11.0"
    },
    "event": {
        "action": "session.start",
        "category": [
            "session"
        ],
        "code": "T2000I",
        "id": "84c07a99-856c-419f-9de5-15560451a116",
        "kind": "event",
        "original": "{\"addr.local\":\"172.31.28.130:3022\",\"addr.remote\":\"67.43.156.11:51454\",\"code\":\"T2000I\",\"ei\":0,\"event\":\"session.start\",\"login\":\"root\",\"namespace\":\"default\",\"server_id\":\"de3800ea-69d9-4d72-a108-97e57f8eb393\",\"sid\":\"56408539-6536-11e9-80a1-427cfde50f5a\",\"size\":\"80:25\",\"time\":\"2019-04-22T19:39:26.676Z\",\"uid\":\"84c07a99-856c-419f-9de5-15560451a116\",\"user\":\"admin@example.com\"}",
        "sequence": 0,
        "type": [
            "start"
        ]
    },
    "group": {
        "name": "default"
    },
    "host": {
        "id": "de3800ea-69d9-4d72-a108-97e57f8eb393"
    },
    "process": {
        "tty": {
            "columns": 80,
            "rows": 25
        },
        "user": {
            "name": "root"
        }
    },
    "related": {
        "ip": [
            "67.43.156.11",
            "172.31.28.130"
        ],
        "user": [
            "admin@example.com",
            "root"
        ]
    },
    "server": {
        "address": "172.31.28.130",
        "ip": "172.31.28.130",
        "port": 3022
    },
    "tags": [
        "preserve_original_event"
    ],
    "teleport": {
        "audit": {
            "session": {
                "id": "56408539-6536-11e9-80a1-427cfde50f5a",
                "terminal_size": "80:25"
            }
        }
    },
    "user": {
        "name": "admin@example.com"
    }
}